Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-16337

Passwords still exposed in logs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Medium
    • 5.10.1
    • 5.9
    • Security, Variables
    • None

    Description

      BAM-13916 is not resolved and we are still seeing our production password appearing in the logs for shell commands that the build is executing. An example command (with the script filename removed):

      perl <SCRIPT> PRODUCTION file=all pw=${bamboo.dbpassword} ALLOW_NUMERIC_CHANGES=1

      The line that logs the execution of that command shows the password in plaintext and looks like this.

      simple 06-Jul-2015 16:10:08 Executing [perl <SCRIPT> PRODUCTION file=all pw=<PASSWORD> ALLOW_NUMERIC_CHANGES=1]

      Also seen in version 5.9:

      Additionally failures of the type com.atlassian.utils.process.ProcessException can expose variables saved with "password" in the var name.

      Attachments

        Activity

          People

            Unassigned Unassigned
            chris.gross1 chris gross
            Votes:
            4 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: